Can you help me write an if statement for the foll...

keishamtcs · ‎12-03-2018

Hi,

I need to write an if statement for the following condition. I have two services in which status is shown by 0 or 1.
0 is stop and 1 is running, It has two different sources. The alert should trigger when it is not running in both the sources i.e, (0,0) or (1,1).

i tried using something like this but it does not work. How to rectify this query ?

This is for (0,0)

| eval Application=if(((source="Primary_source" AND Status=0) AND (source="secondory_source" AND Status=0)),"Down", "Up")

This is for both (0,0) and (1,1)

| eval Application=if((((source="Primary_source" AND Status=0) AND (source="secondory_source" AND Status=1))) OR ((source="Primary_source" AND Status=1) AND (source="secondory_source" AND Status=1)),"Down", "Up")

sergeye · ‎12-03-2018

Hi If I understand you correct and you need an alert to trigger for both 0,0 and 1,1 conditions,
I guess this is an easiest way (the actual query is only the last string):

| makeresults 
| eval source="Primary_source",Status=1 
| append 
    [| makeresults 
    | eval source="Secondory_source",Status=1 ] 
| stats dc(Status) as Status | where Status = 1

this will provide you a result only if both Statuses are 1 or both statuses are 0,
and based on this you can create an alert.

kamlesh_vaghela · ‎12-03-2018

@keishamtcs

If you have the latest event from the different source for the latest status, then you can try below search to get source wise status as a column. Here, you have different events from the different source.

YOUR_SEARCH 
| dedup source | table source Status | transpose header_field=source

Now you can add conditions as per your requireemtns.
like, for (0,0)

| eval Application=if(Primary_source=0 AND secondory_source=0,"Down", "Up")

For (1,1)

| eval Application=if(Primary_source=1 AND secondory_source=1,"Up", "Down")

like that.

My Sample Search is like below.

| makeresults
| eval source="Primary_source",Status=0 | append [ | makeresults 
| eval source="secondory_source",Status=1 ] | dedup source | table source Status | transpose header_field=source 
| eval Application=if(Primary_source=0 AND secondory_source=0,"Down", "Up")

Please let me know for more assistance.

Thanks

keishamtcs · ‎12-03-2018

Hi Kamlesh,

Thanks for the input..your query is using only one condition at a time. I would need need both the condition in the same search (0,0) and (1,1).

Regards

kamlesh_vaghela · ‎12-03-2018

@keishamtcs

Yes, I have given you a sample search. Please try this one.

| eval Application=if((Primary_source=0 AND secondory_source=0) OR (Primary_source=1 AND secondory_source=1),"true", "false")

I'm not sure about what if (1,1) or (0,0), so I have kept true and false

You can change it as per your requirement.

🙂

keishamtcs · ‎12-03-2018

Yes..i did the tricked. i dont see the option of accepting this answer. any idea where is it ?

kamlesh_vaghela · ‎12-11-2018

@keishamtcs

Glad to help you. Please accept the answer. 🙂

Happy Splunking

sergeye · ‎12-03-2018

Hi,
Can you please clarify the statement for up and down because I'm not sure I understand you correct.

I see 4 possible variants, can you please approve (or disprove and fix this table):
0,0 = Down
0,1 = Up
1,0=Up
1,1=Down

is it correct?

Can you help me write an if statement for the following condition?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk